Polygon Zero’s mission is simple: to use zero-knowledge proofs to scale Ethereum to a billion users, without compromising decentralization or security. Achieving this requires fast and efficient proof systems. Today, we’re excited to share Plonky2, a major milestone for zero-knowledge cryptography.

Plonky2 is a recursive SNARK that is 100x faster than existing alternatives and natively compatible with Ethereum. It combines PLONK and FRI for the best of STARKs, with fast proofs and no trusted setup, and the best of SNARKs, with support for recursion and low verification cost on Ethereum.

Plonky2 represents the latest step in Polygon’s ongoing commitment to building the future of Ethereum, and we’re proud to share our work with the Ethereum community.

If zero-knowledge proofs have a superpower, it’s recursion. SNARKs can verify arbitrary computations, and, since verifying a SNARK is a computation, SNARKs can verify other SNARKs.

To see why that’s useful, suppose that we want to prove that a batch of 1,000 transactions are valid. Generating a single proof to verify 1,000 transactions at once would be expensive and time-consuming.

Instead, we can take 1,000 machines and generate 1,000 proofs in parallel, one for each transaction. Next, we can take these transaction proofs and recursively aggregate them by generating a layer of recursive proofs, with each one verifying two transaction proofs. We repeat this process until we’re left with a single proof that verifies 1,000 transactions.

The recursive approach is faster, less resource-intensive, and can be more decentralized.

Efficiency

Recursive proofs are critical for blockchain scalability. When we started Mir (now Polygon Zero) in 2019, it took two minutes on a fast computer to generate a single recursive proof. 2020 brought recursive proofs to Ethereum with 60 second proving times, and the invention of Halo delivered faster recursive proofs, but without Ethereum compatibility.

In 2021, we had an audacious goal: sub-1 second recursive proofs on Ethereum. We realized that FRI, the polynomial commitment scheme used in STARKS, could offer a significant performance improvement for recursive SNARKs. At the time, this wasn’t obvious. Fractal, the only existing implementation of recursive FRI, took about 10 minutes to generate a proof.

However, FRI has some exciting properties. It allows us to use 64-bit fields, and our team discovered the Goldilocks Field, whose modulus enables extremely efficient field arithmetic on modern CPUs. When combined with PLONK, FRI allows us to write custom gates with many more wires, so we can write circuits that are optimized for efficient recursion.

This combination of mathematical insight, deep expertise in zero-knowledge cryptography, and amazing low-level optimizations allowed us to make a significant breakthrough. A recursive proof on Plonky2 takes just 170 milliseconds on a Macbook Pro, a 100x improvement over existing alternatives.

Proof Sizes

Plonky2 also allows us to speed up proving times for proofs that don’t involve recursion. With FRI, you can either have fast proofs that are big (so they’re more expensive to verify on Ethereum), or you can have slow proofs that are small. Constructions that use FRI, like the STARKs that Starkware uses in their ZK-rollups, have to choose; they can’t have maximally fast proving times and proof sizes that are small enough to reasonably verify on Ethereum.

Plonky2 eliminates this tradeoff. In cases where proving time matters, we can optimize for maximally fast proofs. When these proofs are recursively aggregated, we’re left with a single proof that can be verified in a small circuit. At this point, we can optimize for proof size. We can shrink our proof sizes down to 45kb with only 20s of proving time (not a big deal since we only generate when we submit to Ethereum), dramatically reducing costs relative to Starkware.

Compatibility

Excitingly, Plonky2 is natively compatible with Ethereum. Plonky2 requires only keccak-256 to verify a proof. We’ve estimated that the gas cost to verify a plonky2 size-optimized proof on Ethereum will be approximately 1 million gas.

However, this cost is dominated by the CALLDATA costs to publish the proof on Ethereum. If CALLDATA is repriced in EIP-4488, the verification cost of a plonky2 proof will drop to between 170-200k gas, which could make it not only the fastest proving system, but also the cheapest to verify on Ethereum.

Conclusion

Last year, Polygon laid out its commitment to supporting ZK scaling. This represented an important transition, as Polygon moved from providing an essential solution for the present to building the future of Ethereum scaling. Plonky2 is an important step on this journey, and a major breakthrough for the entire space.

ZK L2s have benefited from a lot of hype, but current solutions rely on cryptographic primitives that are inefficient and limit scalability. Ultimately, L2’s will compete on throughput and cost, and Plonky2 gives the Polygon ecosystem the opportunity to build the most performant and scalable L2s.

Join us on Github or tune in to our blog to learn more about zero-knowledge proofs. Let’s bring the world to Ethereum!

Polygon Zero’s mission is simple: to use zero-knowledge proofs to scale Ethereum to a billion users, without compromising decentralization or security. Achieving this requires fast and efficient proof systems. Today, we’re excited to share Plonky2, a major milestone for zero-knowledge cryptography. Plonky2 is a recursive SNARK that is 100x faster than existing alternatives and natively […]

TL;DR: We are excited to announce that Mir, a startup building groundbreaking ZK tech, is joining the Polygon family in a $400M* deal. Mir gathered a team of talented cryptographers and engineers, and after almost two years of work developed the world’s fastest ZK scaling technology. The Mir team is now joining Polygon in order […]

TL;DR: We are excited to announce the newest member of the Polygon solution suite - Polygon Miden, an upcoming STARK-based, EVM-compatible rollup. The project is led by Bobbin Threadbare, former Facebook’s core ZK researcher who led the development of Winterfell. Today we are releasing Polygon Miden’s core component - Miden VM, the first open-source STARK-based […]

When it comes to deploying on Ethereum, there is only one place that lets developers easily migrate their projects, offers a broad range of scaling options and has some of the industry’s lowest transaction rates. These are just some of the reasons why the number of teams using Polygon jumped 100-fold in the past year. […]

Welcome to 2022! This is shaping up to be another amazing year for the Polygon ecosystem. But after an absolutely breakthrough 2021, it's got big shoes to fill. Over the past year, Polygon made big strides toward accomplishing its mission of bringing the next billion users to Ethereum. The network’s low-fee infrastructure attracted some of […]

Earlier this month, Polygon’s core development team with help from bug bounty platform Immunefi successfully fixed a critical network vulnerability. Considering the nature of this upgrade, it had to be executed without attracting too much attention. We are now ready to give the full account of what happened. A group of whitehat hackers notified Immunefi, […]